Linux Kernel 2.6 Local Root Exploit

andre.ramaciotti · 2008-02-10 21:43:07

aquatix writes
"This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice."
Here is millw0rm's proof-of-concept code.

http://it.slashdot.org/article.pl?sid=08/02/10/2011257

ise · 2008-02-10 22:02:03

It is fixed in the latest kernel package "kernel26-2.6.24.1-2" in [core].

ConnorBehan · 2008-02-10 22:02:43

Wow that really works. Luckily there is already a patch out for it. http://git.kernel.org/?p=linux/kernel/g … 04f49cbc44

andre.ramaciotti · 2008-02-11 01:13:39

@ ise
Fine then. I was just reporting so that at least the new one woud come without vmsplite.

toofishes · 2008-02-11 01:22:41

Yeah, we heard about this yesterday and worked to fix it, including submitting things upstream. kernel26-2.6.24.1-2 is no longer vulnerable, although I can verify that 2.6.24.1-1 and any earlier kernel definitely was (ran the code locally myself, and broke some other things too...).

Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.

Word of advice- don't try this exploit over SSH.

ConnorBehan · 2008-02-11 02:42:01

toofishes wrote:

Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.

What do you mean?... it is updated. When I heard about this I did a pacman -Syu and sure enough kernel26-2.6.24.1-2 came up (although I just checked a few other mirrors, and not all of them are as up to date).

B-Con · 2008-02-11 05:56:24

toofishes wrote:

Word of advice- don't try this exploit over SSH.

How come? Does it not work (as) well if compiled and executed remotely?

peets · 2008-02-11 06:10:39

Behold the power of open source software (and its community of users/hackers).

jolinfire · 2008-02-11 07:18:30

As I am using testing, I got it a few hours ago

/me loves arch and will stay with it for a long time

z0phi3l · 2008-02-11 08:16:27

ConnorBehan wrote:

toofishes wrote:
Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.
What do you mean?... it is updated. When I heard about this I did a pacman -Syu and sure enough kernel26-2.6.24.1-2 came up (although I just checked a few other mirrors, and not all of them are as up to date).

Some people don't run pacman -Syu very often and therefore would still have an unpatched kernel, some update but for various reasons choose to use an older kernel, those older kernels won't be patched by an Arch Dev

zyghom · 2008-02-11 08:34:12

toofishes wrote:

Yeah, we heard about this yesterday and worked to fix it, including submitting things upstream. kernel26-2.6.24.1-2 is no longer vulnerable, although I can verify that 2.6.24.1-1 and any earlier kernel definitely was (ran the code locally myself, and broke some other things too...).
Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.
Word of advice- don't try this exploit over SSH.

mine is not vulnerable:

22:21:38 papio@baboon:/home/tmp$ uname -a
Linux baboon 2.6.24-ARCH #1 SMP PREEMPT Fri Feb 8 21:39:17 UTC 2008 i686 Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz GenuineIntel GNU/Linux
22:21:43 papio@baboon:/home/tmp$ ./a.out
———————————–
Linux vmsplice Local Root Exploit
By qaaz
———————————–
[+] addr: 0xc0120740
[-] wtf
22:21:44 papio@baboon:/home/tmp$ whoami
papio

10:30:02 papio@baboon:~$ paqi kernel26
Name : kernel26
Version : 2.6.24.1-1
URL : http://www.kernel.org
Licenses : GPL2
Groups : base
Provides : None
Depends On : coreutils module-init-tools mkinitcpio>=0.5.15
Optional Deps : None
Required By : nvidia nvidia rt2500 rt2500 truecrypt virtualbox-modules wlan-ng26 wlan-ng26
Conflicts With : None
Replaces : None
Installed Size : 65773.50 K
Packager : Tobias Powalowski <tpowa@archlinux.org>
Architecture : i686
Build Date : Fri 08 Feb 2008 11:41:39 PM EET
Install Date : Sat 09 Feb 2008 08:27:18 AM EET
Install Reason : Explicitly installed
Install Script : Yes
Description : The Linux Kernel and modules

Last edited by zyghom (2008-02-11 08:34:30)

shining · 2008-02-11 08:43:42

zyghom wrote:

toofishes wrote:
Yeah, we heard about this yesterday and worked to fix it, including submitting things upstream. kernel26-2.6.24.1-2 is no longer vulnerable, although I can verify that 2.6.24.1-1 and any earlier kernel definitely was (ran the code locally myself, and broke some other things too...).
Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.
Word of advice- don't try this exploit over SSH.
mine is not vulnerable:

Are you sure you tried 5092 and not 5093 on milworm?

shining · 2008-02-11 08:44:25

B-Con wrote:

toofishes wrote:
Word of advice- don't try this exploit over SSH.
How come? Does it not work (as) well if compiled and executed remotely?

Because it might mess up ssh.

Basn · 2008-02-11 08:49:40

zyghom wrote:

toofishes wrote:
Yeah, we heard about this yesterday and worked to fix it, including submitting things upstream. kernel26-2.6.24.1-2 is no longer vulnerable, although I can verify that 2.6.24.1-1 and any earlier kernel definitely was (ran the code locally myself, and broke some other things too...).
Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.
Word of advice- don't try this exploit over SSH.
mine is not vulnerable:
22:21:38 papio@baboon:/home/tmp$ uname -a
Linux baboon 2.6.24-ARCH #1 SMP PREEMPT Fri Feb 8 21:39:17 UTC 2008 i686 Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz GenuineIntel GNU/Linux
22:21:43 papio@baboon:/home/tmp$ ./a.out
———————————–
Linux vmsplice Local Root Exploit
By qaaz
———————————–
[+] addr: 0xc0120740
[-] wtf
22:21:44 papio@baboon:/home/tmp$ whoami
papio
10:30:02 papio@baboon:~$ paqi kernel26
Name : kernel26
Version : 2.6.24.1-1
URL : http://www.kernel.org
Licenses : GPL2
Groups : base
Provides : None
Depends On : coreutils module-init-tools mkinitcpio>=0.5.15
Optional Deps : None
Required By : nvidia nvidia rt2500 rt2500 truecrypt virtualbox-modules wlan-ng26 wlan-ng26
Conflicts With : None
Replaces : None
Installed Size : 65773.50 K
Packager : Tobias Powalowski <tpowa@archlinux.org>
Architecture : i686
Build Date : Fri 08 Feb 2008 11:41:39 PM EET
Install Date : Sat 09 Feb 2008 08:27:18 AM EET
Install Reason : Explicitly installed
Install Script : Yes
Description : The Linux Kernel and modules

Sometimes you have to run it more than once i think.

[knap] · 2008-02-11 12:17:04

It worked with 2.6.23 but doesn't work now with the new kernel. Good work guys.

This still isn't fixed in Ubuntu (7.10).

ConnorBehan · 2008-02-11 20:30:11

z0phi3l wrote:

ConnorBehan wrote:
toofishes wrote:
Keep in mind that Arch doesn't do any security releases of packages for this kind of thing, so if you are running an old kernel, you should watch out because we can't update those for you.
What do you mean?... it is updated. When I heard about this I did a pacman -Syu and sure enough kernel26-2.6.24.1-2 came up (although I just checked a few other mirrors, and not all of them are as up to date).
Some people don't run pacman -Syu very often and therefore would still have an unpatched kernel, some update but for various reasons choose to use an older kernel, those older kernels won't be patched by an Arch Dev

Oh so they won't release 2.6.23-fixed, 2.6.22-fixed, etc. Well that's typical of a rolling release distro.

Arch Linux

#1 2008-02-10 21:43:07

Linux Kernel 2.6 Local Root Exploit

#2 2008-02-10 22:02:03

Re: Linux Kernel 2.6 Local Root Exploit

#3 2008-02-10 22:02:43

Re: Linux Kernel 2.6 Local Root Exploit

#4 2008-02-11 01:13:39

Re: Linux Kernel 2.6 Local Root Exploit

#5 2008-02-11 01:22:41

Re: Linux Kernel 2.6 Local Root Exploit

#6 2008-02-11 02:42:01

Re: Linux Kernel 2.6 Local Root Exploit

#7 2008-02-11 05:56:24

Re: Linux Kernel 2.6 Local Root Exploit

#8 2008-02-11 06:10:39

Re: Linux Kernel 2.6 Local Root Exploit

#9 2008-02-11 07:18:30

Re: Linux Kernel 2.6 Local Root Exploit

#10 2008-02-11 08:16:27

Re: Linux Kernel 2.6 Local Root Exploit

#11 2008-02-11 08:34:12

Re: Linux Kernel 2.6 Local Root Exploit

#12 2008-02-11 08:43:42

Re: Linux Kernel 2.6 Local Root Exploit

#13 2008-02-11 08:44:25

Re: Linux Kernel 2.6 Local Root Exploit

#14 2008-02-11 08:49:40

Re: Linux Kernel 2.6 Local Root Exploit

#15 2008-02-11 12:17:04

Re: Linux Kernel 2.6 Local Root Exploit

#16 2008-02-11 20:30:11

Re: Linux Kernel 2.6 Local Root Exploit

Board footer